Malicious PDF — malware analysis report

Static analysis result for SHA-256 c513493e3965341c…

MALICIOUS

PDF

44.3 KB Created: 2020-08-30 06:20:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ac3bc053967fd4a9015d31569f2a4fa4 SHA-1: 16b94bc306a779d81386100986e16f8eab3062a2 SHA-256: c513493e3965341cdfc60b61e131dfe8d4a5ef951f4a70be647b4e6a0447d957
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a lure related to a "Jillian Michaels meal plan" and embeds a link to a known malicious redirector. The redirector is likely used to serve further malicious content or lead the user to a phishing page. The PDF also contains a large number of links to other PDFs hosted on Shopify, likely for SEO manipulation to improve the ranking of the malicious lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.cc/wix?keyword=jillian+michaels+meal+plan+one+week
    • https://cdn.shopify.com/s/files/1/0429/1097/4108/files/boxejegatuxavagagawizule.pdf
    • https://cdn.shopify.com/s/files/1/0432/8669/1998/files/online_text_editor_without_watermark.pdf
    • https://cdn.shopify.com/s/files/1/0432/8787/1646/files/rirezogunab.pdf
    • https://cdn.shopify.com/s/files/1/0435/3202/6008/files/61679672739.pdf
    • https://cdn.shopify.com/s/files/1/0431/7573/9553/files/21685195109.pdf
    • https://cdn.shopify.com/s/files/1/0438/6937/2576/files/the_orc_and_the_pie.pdf
    • https://cdn.shopify.com/s/files/1/0431/4382/3517/files/26783651752.pdf
    • https://static.usrfiles.com/ugd/cb5dea_3dd009ab445b4bcda0523385f92fd486.pdf
    • https://static.usrfiles.com/ugd/756799_28f42d5c8d61497aa0cf804d8a5d8fd2.pdf
    • https://static.usrfiles.com/ugd/4f270c_beac971e62e34af3afe9d3f09590e906.pdf
    • https://static.usrfiles.com/ugd/b8c837_c76d37e2515a4a21b7f32e3888465f3a.pdf
    • https://cdn.shopify.com/s/files/1/0436/1509/2894/files/antrenmanlara_matematik_2.pdf
    • https://cdn.shopify.com/s/files/1/0432/0129/8594/files/baahubali_480p_hd_movie.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000612f.bin
bca35e42204122ce64f2680d73d13c60a941b671d583ba746a0ddbe6882707ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x612F 4932 bytes
font_01_sfnt_off000071c2.bin
c247d2c0d1d3bbe8e263beae4bc33cb6eb29c46eea15be230a3b10bcdec49bbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71C2 10692 bytes
font_02_sfnt_off00009641.bin
0d0f64e27578eb124b8bc81c7eceacdd166e22eddd95c81328e9fbd7de2a6333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9641 4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.